Skip to main content

5510 RDP & Anyconnect

More
15 years 4 months ago #30980 by swixtt
hi guys,
well i'm new here and it seems there is a wealth of information from the reading i've done.
i have a 5510 here that has already been configured and is working fine. i've only added some regular expression to block a few sites.
i've used the ASDM for most of the items but now i need to allow a RDP connection from a known client. we'll be changing the default port to something else.
so, what i need to do is modify the outside interface to allow that network connection to the port.... then configure the NAT rules to allow access through.
is this best done with the command line? if so, what are some examples of the proper syntax for it.

also, how does one go about obtaining the anyconnect client. aren't all licenced asa entitled to use that client. we are using the ipsec client but need a 64bit one. not sure how to go about getting it.

thanks
More
15 years 4 months ago #30982 by sys-halt
anyconnect client comes ship with the ASDM CD, look inside your ASA CD and you should find the package in it. yes Cisco is shipping the AnyConnect Client with every newly ASA Firewall, at least this is what have been told to me by a Cisco Distributor and to my newly experience with ASA configurations.

but I what type of VPN connection type your ASA supports, IPSec or SSL or both, for this answer you should look at the ASA Edition Bundle Part Number.

Please find your ASA edition bundle part number, this usually can be found in the quotation sent to you in your early considerations before you purchased your Cisco Products. Also your ASA IOS image number can guide you in determining the type of purchased bundle part number.

then go to Cisco website and look for the number of connections and type allowed for your specific ASA edition part number.

here is the site that might help you:
www.cisco.com/en/US/prod/collateral/vpnd...900aecd80402e39.html

Now to allow RDP connection you need to create an access list wit ha static statement and assign the access list to your outside interface.

here is one scenario:
[code:1]access-list 101 extended permit tcp any host 192.168.1.20 eq 3389
static (inside,outside) 192.168.1.20 172.16.1.10 netmask 255.255.255.255
access-group 101 in interface outside[/code:1]

IP address: 192.168.1.20, will be your ASA external interface address or one of the IP addresses present in your external IP addresses Pool you made.

IP address: 172.16.1.10, is the IP address of your Internal host present in your Internal Network connected to your inside ASA interface

so once an RDP request hits the ASA external IP 192.168.1.20 the ASA will redirect the RDP request to the Internal host with IP address of 172.16.1.10

good luck
More
15 years 4 months ago #30984 by S0lo
Replied by S0lo on topic Re: 5510 RDP & Anyconnect
Can't explain it better than sys-halt :). Yes, you need both an access list and a static map as sys-halt mentioned. Regarding the static map, you could also forward only the RDP port (3389) to your internal client. Some thing like this:

[code:1]static (inside,outside) tcp 192.168.1.20 3389 172.16.1.10 3389 netmask 255.255.255.255[/code:1]

This way only RDP traffic will be mapped to the internal host (172.16.1.10). So you can map other traffic for other ports to another host using the same external IP. Another advantage of this method is that you could change the RDP port to your desired one, say 4433:

[code:1]static (inside,outside) tcp 192.168.1.20 3389 172.16.1.10 4433 netmask 255.255.255.255[/code:1]

Ofcourse you need to open that same port on your inside RDP host.

Hope this helps.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 4 months ago #31003 by sys-halt
My code is rusty, an old school coding style:-). I would advice you going with S0lo code, it's clean one and gives you much granular control.

good luck.
Time to create page: 0.125 seconds